Snort mailing list archives
Re: [SPAM] FN on community very old sid 1253 rev 21?
From: Patrick Mullen <pmullen () sourcefire com>
Date: Tue, 23 Apr 2013 11:37:51 -0400
Thanks for the info. Looking at the rule and the exploit description, I believe the flow is backward and I'm changing it to to_server. Thanks, ~Patrick On Mon, Apr 22, 2013 at 5:10 PM, rmkml <rmkml () yahoo fr> wrote:
Hi, Can you check flow side on this very old rule cause FN please? (this rule are not enabled by default) alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET bsd exploit client finishing"; flow:to_client,established; dsize:>200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:21;) Regards Rmkml http://twitter.com/rmkml ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Patrick Mullen Response Research Manager Sourcefire VRT ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [SPAM] FN on community very old sid 1253 rev 21? rmkml (Apr 22)
- Re: [SPAM] FN on community very old sid 1253 rev 21? Patrick Mullen (Apr 23)